Ru-Ge Skepticism

The Internet-based attacks surrounding the Russia-Georgia conflict in August 2008 have resurfaced thanks to a report by the U.S. Cyber Consequences Unit (US-CCU). Because the report is top secret, all that is publicly available is a summary.

There are a number of reports on the Ru-Ge incident. While some are very well done, noticeably absent from these reports are attempts to provide and explore alternative explanations. Since attribution in these type of attacks is difficult (to put it mildly) analysis is often infused with a predisposition toward a certain conclusion and all evidence is interpreted in only one direction. (Morozov’s “10 easy steps to writing the scariest cyberwarfare article ever” is applicable to most of them.)

Since there is basically no “smoking gun” in cyberspace the credibility of one’s claims depends on how well one explores alternative explanations.

One of the Ru-Ge issues I have been thinking about concerns timing. In the US-CCU report summary the issue of timing is raised. The US-CCU concludes:

The organizers of the cyber attacks had advance notice of Russian military intentions, and they were tipped off about the timing of the Russian military operations while these operations were being carried out.

Why? Because they “had” to be.

Many of the cyber attacks were so close in time to the corresponding military operations that there had to be close cooperation between people in the Russian military and the civilian cyber attackers.

Maybe, but are there other possible explanations?

First, the timing of the war itself is unclear. The NY Times reports that Georgia believes that the Russians had crossed the Roki Tunnel by 3.41 a.m on August 7, 2008. The Russians say it was not until 2:30 p.m. on August 8, 2008 after Georgia had begun shelling Tskhinvali at 11:30 pm August 7, 2008. The NYT reports that “Western intelligence” indicates that the Russians “may have moved to secure the entire tunnel either on the night of Aug. 7 or early in the morning of Aug. 8.”

Second, the timing if the internet-based attacks is unclear. The CCD COE report cites a STRATFOR report which claims:

“Russia’s offensive against Georgia began not with tanks or fighter jets, but in cyberspace. STRATFOR knows firsthand that Georgian government and media Web sites began to crash the night of Aug. 7 — well before Russian troops emerged on the south side of the Roki Tunnel in the breakaway republic of South Ossetia the following morning.”

Shadowserver, a trustworthy and awesome group, documented DDOS attacks begining on August 8, 2008. The attacks were from known C&C’s some of which have been around for more than a year and have attacked unrelated sites. In fact, the same C&C’s attacked www.president.gov.ge on July 20, 2008.

Dancho Danchev wrote an informative post in which he stated that following the July attack there had been discussions on DDOS and defacements and the use should it be needed:

The attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists. The peak of DDoS attack and the actual defacements started taking place as of Friday

US-CCU says that because the attacks materialised so quickly in connection with the Russian kinetic attacks the internet-based attacks must have been prepared in advanced and that “the signal to go ahead also had to have been sent before the news media and general public were aware of what was happening militarily.” Well, we already know that there was a DDOS in July by the same C&C’s that attacked in August. Also, there had been “active discussions across the Russian web” after the July attacks on DDOS and defacement of Georgian and related targets. And from limited logs that I’ve seen there were a variety of attacks, including SQL injection, occuring over this period.

Moreover, some of the web sites that were defaced had been previously defaced. mfa.gov.ge was defaced 2008/04/17 (and three times in 2000, suggesting it has a history of insecurity) and parliament.ge was defaced on 2008/03/14. (Zone-H’s gov.ge defacement archive).

News media had been consistently reporting on the ongoing conflict in the region. For example, CNN reported on August 7, 2008 that Georgia had accused Russia of bombing Georgian territory. And the Russian incursion into Georgian was widely reported on August 8, 2008.

It is unclear if the attacks began before the Russian kinetic attack, or afterward. Part of the reason is that when the Russian kinetic attack began is unclear. This makes the correlation of the internet and kinetic attacks unwieldy.

The botnets were in place (busily attacking unrelated targets), had been used previously against www.president.gov.ge, and could be issued commands at any time. The web sites that were defaced had been previously defaced and mfa.gov.ge had a long history of insecurity. The global news coverage of the crises indicated that the crises was escalating and that a Russian bombing campaign may have started on August 7th.

In my view there is an alternative explanation that deserves to be explored: potential attackers who had been discussing potential attacks since July 20, 2008 and following the events could have been ready to respond as the crises predictably escalated without advance knowledge of the Russian attack or any explicit coordination with the Russian military.

2 comments.

[…] I thought I susbcribed to Nart Villeneuve’s blog, but apparently not, so I missed this post, Ru-Ge Skepticism, from a couple of weeks ago, in which Villeneuve takes aim at the conclusions of the US-CCU report. […]